Cyble’s CRIL analyzes a PurpleFox campaign delivered via spam emails containing Word attachments, triggering multi-stage PowerShell payloads and steganography to hide the final MSI dropper. The operation culminates in PurpleFox payload deployment with anti-det…
Category: Threat Research
The article analyzes how the CL0P ransomware group shifted from traditional leak sites to distributing stolen data via torrents, revealing their seed infrastructure and tradecraft. It also shows how defenders can glean insights by mapping seeders and peers, an…
Attackers exploited Bing Chat ads to push users toward malware-laden sites, combining malvertising with phishing-style landing pages. The campaign used a malicious MSI installer and a remote C2 to deliver and fetch payloads after users attempted to download so…
LockBit, BlackCat, and Clop were the most active RaaS families in 1H 2023, exploiting public-facing application vulnerabilities and third-party suppliers to deploy ransomware, steal data, and demand large ransoms. Attacks included exploitation of PaperCut, MOV…
Huntress’ analysis of September 2023 intrusions shows a converging adversary tradecraft across multiple victims, emphasizing LOLBins, evasion, and social engineering tied to Netscaler-related activity. The campaign involved obfuscated PowerShell, credential ha…
Cyble researchers describe Exela Stealer, a Python-based open-source data-stealing tool targeting social platforms and Chromium-based browsers, with multiple anti-analysis features. The malware exfiltrates credentials, tokens, and session data via Discord webh…
Budworm continues to develop its toolset, unveiling an updated SysUpdate backdoor variant (SysUpdate DLL inicore_v2.3.30.dll) used against a Middle Eastern telecommunications organization and an Asian government in August 2023. The group combines DLL sideloadi…
Volexity documents a multi-year campaign by the state-aligned threat actor EvilBamboo that uses repackaged mobile apps, fake sites, Telegram communities, and browser profiling to deliver Android and iOS spyware. The actor operates at least three Android famili…
Secureworks CTU attributes multiple intrusions to GOLD MELODY, an initial access broker that exploits unpatched internet-facing servers to deploy web shells, backdoors, and tunneling tools before selling access to other criminal groups. Observed tooling and be…
AhnLab’s ASEC reports a malicious LNK file that impersonates the National Tax Service and is being distributed to Korean users via a URL in emails. The dropped payload delivers a multi-stage downloader using PowerShell and VBScript, leading to data collection …
Ransomed.vc has shifted from an underground forum to a high‑velocity ransomware operation, announcing an extortion target on Japan’s NTT Docomo after leaking Sony data. The group leans on supply‑chain perceptions, GDPR‑pressure rhetoric, and a growing affiliat…
Brute Ratel C4 is a Red Team & Adversary Simulation tool analyzed here as a Brute Ratel badger/agent, focusing on commands that perform user impersonation, process injection, token privilege manipulation, and C2 communications. The Part 2 analysis documents th…
NSFOCUS Security Labs uncovered AtlasCross, a newly identified APT actor conducting targeted phishing to compromise specific targets. The operation deploys two Trojan horses, DangerAds and AtlasAgent, with strong defense evasion and a standby C2 network. #Atla…
China-aligned threat actors are increasingly involved in strategic intrusions in Africa, aiming to extend the PRC’s influence across the continent.
Key Insights
APT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its counteroffensive, pointing to the SVR’s central role in collecting intelligence concerning the current pivotal phase of the war.
During this period, Mandiant has tracked substantial changes in APT29’s tooling and tradecraft, likely…